Zinthu
Tsiku lopuma. Ndimamwa khofi. Wophunzirayo adakhazikitsa kulumikizana kwa VPN pakati pa mfundo ziwiri ndikuzimiririka. Ndimayang'ana: palidi ngalande, koma palibe magalimoto mumsewu. Wophunzira samayankha mafoni.
Ndinayika ketulo ndikudumphira mu S-Terra Gateway kuthetsa mavuto. Ndimagawana zomwe ndakumana nazo komanso njira yanga.
Zambiri
Masamba awiri olekanitsidwa ndi malo amalumikizidwa ndi ngalande ya GRE. GRE iyenera kulembedwa:
Ndikuyang'ana magwiridwe antchito a njira ya GRE. Kuti ndichite izi, ndimayendetsa ping kuchokera ku chipangizo cha R1 kupita ku mawonekedwe a GRE a chipangizo cha R2. Awa ndiye anthu omwe amatsata kubisa. Palibe yankho:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms
Ndimayang'ana zipika pa Gate1 ndi Gate2. Lolembali likunena mosangalala kuti njira ya IPsec idakhazikitsidwa bwino, palibe vuto:
root@Gate1:~# cat /var/log/cspvpngate.log
Aug 5 16:14:23 localhost vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1
M'mawerengero a IPsec tunnel pa Gate1 ndikuwona kuti palidi ngalandeyi, koma kauntala ya RΡvd yakhazikitsidwanso ku zero:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0
Ndimavutitsa S-Terra monga chonchi: Ndimayang'ana komwe mapaketi omwe amatsata atayika panjira kuchokera ku R1 kupita ku R2. Munjira (spoiler) ndipeza cholakwika.
Kusaka zolakwika
Gawo 1. Zomwe Gate1 amalandira kuchokera ku R1
Ndimagwiritsa ntchito paketi yolumikizira - tcpdump. Ndikuyambitsa sniffer mkati (Gi0/1 mu Cisco-like notation kapena eth1 mu Debian OS notation) mawonekedwe:
root@Gate1:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64
Ndikuwona kuti Gate1 ilandila mapaketi a GRE kuchokera ku R1. Ndikupita patsogolo.
Gawo 2. Zomwe Gate1 imachita ndi mapaketi a GRE
Pogwiritsa ntchito chida cha klogview ndikutha kuwona zomwe zikuchitika ndi mapaketi a GRE mkati mwa driver wa S-Terra VPN:
root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated
Ndikuwona kuti chandamale GRE traffic (proto 47) 172.16.0.1 -> 172.17.0.1 idabwera pansi pa lamulo la LIST encryption mu CMAP crypto mapu ndipo idalumikizidwa. Pambuyo pake, paketiyo idathamangitsidwa (kutuluka). Palibe kuchuluka kwa mayankho pazotulutsa za klogview.
Ndikuyang'ana mindandanda yofikira pa chipangizo cha Gate1. Ndikuwona mndandanda umodzi wofikira LIST, womwe umatanthawuza chandamale cha magalimoto obisala, zomwe zikutanthauza kuti malamulo a firewall sanakhazikitsidwe:
Gate1#show access-lists
Extended IP access list LIST
10 permit gre host 172.16.0.1 host 172.17.0.1
Kutsiliza: vuto siliri ndi chipangizo cha Gate1.
Zambiri za klogview
Woyendetsa VPN amayendetsa magalimoto onse pamanetiweki, osati kuchuluka kwa magalimoto omwe amayenera kubisidwa. Awa ndi mauthenga omwe akuwoneka mu klogview ngati woyendetsa VPN adakonza kuchuluka kwa ma netiweki ndikutumiza mosabisa:
root@R1:~# ping 172.17.0.1 -c 4
root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered
Ndikuwona kuti magalimoto a ICMP (proto 1) 172.16.0.1->172.17.0.1 sanaphatikizidwe (palibe machesi) m'malamulo achinsinsi a CMAP crypto khadi. Phukusili linayendetsedwa (kutuluka) m'malemba omveka bwino.
Gawo 3. Zomwe Gate2 amalandira kuchokera ku Gate1
Ndikuyambitsa sniffer pa WAN (eth0) Gate2 mawonekedwe:
root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140
Ndikuwona kuti Gate2 ilandila mapaketi a ESP kuchokera ku Gate1.
Khwerero 4. Zomwe Gate2 imachita ndi mapaketi a ESP
Ndikuyambitsa chida cha klogview pa Gate2:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall
Ndikuwona kuti mapaketi a ESP (proto 50) adagwetsedwa (DROP) ndi lamulo la firewall (L3VPN). Ndikuwonetsetsa kuti Gi0/0 ili ndi mndandanda wofikira wa L3VPN wolumikizidwa nayo:
Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.10.10.252/24
MTU is 1500 bytes
Outgoing access list is not set
Inbound access list is L3VPN
Ndinazindikira vuto.
Khwerero 5. Cholakwika ndi chiyani pamndandanda wofikira
Ndimayang'ana zomwe mndandanda wa L3VPN wofikira uli:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit icmp host 10.10.10.251 any
Ndikuwona kuti mapaketi a ISAKMP amaloledwa, kotero ngalande ya IPsec imakhazikitsidwa. Koma palibe lamulo lothandizira ESP. Mwachiwonekere, wophunzirayo adasokoneza icmp ndi esp.
Kusintha mndandanda wofikira:
Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any
Gawo 6. Kuyang'ana magwiridwe antchito
Choyamba, ndikuwonetsetsa kuti mndandanda wa L3VPN ndi wolondola:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit esp host 10.10.10.251 any
Tsopano ndikuyambitsa chandamale chandamale kuchokera ku chipangizo cha R1:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms
Kupambana. Njira ya GRE yakhazikitsidwa. Kauntala yomwe ikubwera mu ziwerengero za IPsec si zero:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480
Pachipata cha Gate2, pazotulutsa za klogview, mauthenga adawoneka kuti omwe akutsata 172.16.0.1->172.17.0.1 adatsitsidwa bwino (PASS) ndi lamulo la LIST mu mapu a CMAP crypto:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated
Zotsatira
Wophunzira wina anawononga tsiku lake lopuma.
Samalani ndi malamulo a ME.
Katswiri wosadziwika
t.me/anonymous_engineer
Source: www.habr.com